-
名称 可疑的 MS Office 行为
Clause (Event type = Follow Process and (Process Info - Exec Path doesn’t contain Windowssplwow64.exe ) and (Process Info - Exec Path doesn’t contain chrome.exe ) and (Process Info - Exec Path doesn’t contain msip.executionhost.exe ) and (Process Info - Exec Path doesn’t contain msip.executionhost32.exe ) and (Process Info - Exec Path doesn’t contain msosync.exe ) and (Process Info - Exec Path doesn’t contain ofccccaupdate.exe ) with ancestor (Process Info - Exec Path contains winword.exe or Process Info -Exec Path contains excel.exe or Process Info -Exec Path contains powerpnt.exe )
说明 此规则在 Microsoft Office 进程 (WIN-WORD.exe/EXCEL.exe/POWERPNT.exe) 创建任何子进程时发出警报并进行记录。根据我们的研究,我们允许这些 MS Office 二进制文件创建一些已知的常见子进程,以减少误报的数量。
-
名称 T1015 - 辅助功能 1
Clause Event type = Follow Process (Process Info - Exec Path contains cmd.exe or Process Info -Exec Path contains powershell.exe or Process Info - Exec Path contains cscript.exe or Process Info - Exec Path contains wscript.exe) and (Follow Process - Parent Exec Path contains winlogon.exe or Follow Process - Parent Exec Path contains atbroker.exe or Follow Process - Parent Exec Path contains utilman.exe)
说明 此规则会在任何辅助功能二进制文件(屏幕键盘、放大镜、粘滞键等)被滥用并被欺骗打开 cmd/powershell/cscript/wscript 时发出警报,同时进行记录。辅助功能二进制文件的调用由 Winlogon、atBroker 或 utilman
进程控制,具体取决于调用它们的位置(从登录屏幕或用户登录后)。此规则可捕获辅助功能进程(winlogon.exe、utilman.exe 和 atBroker.exe)的可疑子进程(cmd.exe、powershell.exe、cscript.exe、wscript.exe)。将此与
T1015 - 辅助功能 2 配合使用,还可以捕获这四个可疑子进程的其他子进程**。
-
名称 T1015 - 辅助功能 2
Clause Event type = Follow Process with ancestor (( Process Info - Exec Path contains cmd.exe or Process Info - Exec Path contains powershell.exe or Process Info - Exec Path contains cscript.exe or Process Info - Exec Path contains wscript.exe) and (Follow Process - Parent Exec Path contains winlogon.exe or Follow Process - Parent Exec Path contains atbroker.exe or Follow Process - Parent Exec Path contains utilman.exe))
说明 此规则会在任何辅助功能二进制文件(屏幕键盘、放大镜、粘滞键等)被滥用并被欺骗打开 cmd.exe/powershell.exe/cscript.exe/wscript.exe 时发出警报,同时进行记录。 辅助功能二进制文件的调用由 Winlogon、atBroker
或 utilman 进程控制,具体取决于调用它们的位置(从登录屏幕或用户登录后)。此规则可捕获这些进程(winlogon、utilman 和 atBroker)的可疑子进程的子进程。应将此与 T1015 - 辅助功能 1 一起使用,该功能可提醒可疑子进程辅助功能二进制文件。
-
名称 T1085 - rundll32
Clause (Event type = Follow Process and Process Info Exec Path does not contain msiexec.exe and Process Info Exec Path does not contain WindowsSystem32SystemPropertiesRemote.exe with ancestor (Process Info - Exec Path contains rundll32.exe and Follow Process - Parent Exec Path does not contain msiexec.exe and not ( Process Info -command string contains Windowssystem32shell32.dll or ( Process Info -command string contains Windowssyswow64shell32.dll or ( Process Info -command string contains WindowsSystem32migrationWinInetPlugin.dll ))
说明 此规则可在 rundll32.exe 创建子进程时发出警报并记录。可以调用此二进制文件来执行任意二进制文件/dll,或者被 control.exe 用来安装恶意控制面板项目。但是,如果 msiexec.exe 是 rundll32.exe 的父项或后代项,则允许执行这些操作。我们还允许使用已知
dll 的一些常见 rundll32 命令。
-
名称 T1118 - InstallUtil
Clause Event type = Follow Process with ancestor Process Info - Exec Path contains installutil.exe
说明 此规则可在 InstallUtil.exe 创建子进程时发出警报并进行记录。
-
名称 T1121 - Regsvcs/Regasm
Clause Event type = Follow Process and ( Process Info - Exec path does not contain fondue.exe or Process Info - Exec path does not contain regasm.exe or Process Info - Exec path does not contain regsvr32.exe with ancestor (Process Info - Exec Path contains regasm.exe or Process Info - Exec Path contains regsvcs.exe)
说明 此规则可在 regsvcs.exe 或 regasm.exe 创建子进程时发出警报并记录。但是,如果 fondu.exe/regasm.exe/regsvr32.exe 是由 regasm.exe 或 regsvcs.exe 生成的,则我们允许这种情况,以减少误报的数量。
-
名称 T1127 - 受信任的开发人员实用程序 - msbuild.exe
Clause ( Event type = Unseen Command with ancestor Process Info - Exec Path contains MSBuild.exe ) and ( Process Info - Exec Path does not contain Tracker.exe ) and ( Process Info -Exec Path doesn’t contain csc.exe ) and ( Process Info - Exec Path does not contain Microsoft Visual Studio ) and ( Process Info - Exec Path does not contain al.exe ) and ( Process Info - Exec Path does not contain lc.exe ) and ( Process Info - Exec Path does not contain dotnet.exe ) and ( Process Info - Exec Path does not contain cvtres.exe ) and ( Process Info - Exec Path does not contain conhost.exe ) and not ( Event type = Unseen Command with ancestor ( Process Info - Exec Path contains Tracker.exe or Process Info - Exec Path contains csc.exe or Process Info - Exec Path contains Microsoft Visual Studio or Process Info - Exec Path contains al.exe or Process Info - Exec Path contains lc.exe or Process Info - Exec Path contains dotnet.exe or Process Info - Exec Path contains cvtres.exe ) )
说明 如果 msbuild.exe 创建的子进程不属于其通常创建的子进程的允许列表,则此规则会发出警报并进行记录。此规则目前基于“未检测到的命令”,而不是“关注流程”规则,因为“关注流程”尚不支持允许进程子树。当前规则允许以下进程及其后代:Tracker.exe、csc.exe、“Microsoft
Visual Studio”路径中的任何进程、al.exe、lc.exe、dotnet.exe 和 cvtres.exe。该规则还允许 conhost.exe。这些进程可以在 MSBuild.exe 的常规使用过程中看到(例如,通过 Visual
Studio 编译项目)。MSBuild.exe 的所有其他子程序(非通常行为)都会收到警报。
-
名称 T1127 - 受信任的开发人员实用程序 - rcsi.exe
Clause Event type = Follow Process with ancestor Process Info - Exec Path contains rcsi.exe
说明 此规则可在 rcsi.exe 创建子进程时发出警报并进行记录。
-
名称 T1127 - 受信任的开发人员实用程序 - tracker.exe
Clause (Event type = Unseen Command with_ancestor Process Info - Exec Path contains tracker.exe) and not (Event type = Unseen Command with_ancestor Process Info - Exec Path contains MSBuild.exe)
说明 此规则可在 tracker.exe 创建子进程且跟踪器本身不是 MSBuild.exe 的后代时发出警报并进行记录。因此,通过 Visual Studio 对跟踪器的合法调用会获得批准,但会向其他调用发出警报。Tracker.exe 和以前的
MSBuild.exe 规则的一个限制是,如果攻击者使用 MSBuild 技术创建跟踪器,然后让跟踪器创建恶意子程序,那么这两条规则都不会发出警报,因为将 MSBuild 作为祖先的跟踪器被认为是合法的。
-
名称 T1128 - Netsh 助手 Dll
Clause Event type = Follow Process with ancestor Process Info - Exec Path contains netsh.exe
说明 此规则可在 netsh.exe 创建子进程时发出警报并进行记录。
-
名称 T1136 - 创建帐户
Clause Event type = User Account
说明 此规则可在创建新用户时发出警报并进行记录。
-
名称 T1138 - 应用补偿
Clause Event type = Follow Process Info - Exec Path contains sdbinst.exe
说明 此规则可在调用 sdbinst.exe 时发出警报并记录。
-
名称 T1180 - 屏幕保护程序
Clause Event type = Follow Process AND with ancestor Process Info - Exec Path contains .scr
说明 如果创建的进程在执行路径中包含“.scr”,则此规则会发出警报并进行记录。
-
名称 T1191 - CMTP
Clause Event type = Follow Process with ancestor Process Info - Exec Path contains cmstp.exe
说明 此规则可在 cmstp.exe 创建子进程时发出警报并进行记录。
-
名称 T1202 - 间接命令执行 - forfiles.exe
Clause Event type = Follow Process with ancestor Process Info - Exec Path contains forfiles.exe
说明 此规则可在 forfiles.exe 创建子进程时发出警报并记录。
-
名称 T1202 - 间接命令执行 - pcalUA.exe
Clause Event type = Follow Process with ancestor Process Info - Exec Path contains pcalua.exe
说明 此规则可在 pcalUA.exe 创建子进程时发出警报并进行记录。
-
名称 T1216 - 签名脚本代理执行 - pubprn.vbs
Clause Event type = Follow Process with ancestor (( Process Info - Exec Path contains cscript.exe or Process Info - Exec Path contains wscript.exe) and Process Info - Command String contains .vbs and Process Info - Command String contains script )
说明 如果使用 wscript.exe 或 cscript.exe 运行任何 vbs 脚本以创建新进程,且参数为“script”,则此规则会发出警报并进行记录。攻击者可利用这一技术执行带有指向恶意 sct 文件的脚本参数的 pubprn.vbs,然后执行代码。
-
名称 T1218 - 签名二进制代理执行 - msiexec.exe
Clause Event type = Follow Process with ancestor Process Info - Exec Path contains msiexec.exe
说明 此规则可在 msiexec.exe 创建子进程时发出警报并进行记录。
-
名称 T1218 - 签名二进制代理执行 - odbcconf.exe
Clause Event type = Follow Process with ancestor Process Info - Exec Path contains odbcconf.exe
说明 此规则可在 odbcconf.exe 创建子进程时发出警报并记录。
-
名称 T1218 - 签名二进制代理执行 - Register-CimProvider
Clause Event type = Follow Process with ancestor Process Info - Exec Path contains Register-CimProvider.exe
说明 此规则可在 Register-CimProvider.exe 创建子进程时发出警报并进行记录。
-
名称 T1220 - XSL 脚本处理 - msxsl.exe
Clause Event type = Follow Process with ancestor Process Info - Exec Path contains msxsl.exe
说明 此规则可在 msxsl.exe 创建子进程时发出警报并进行记录。
-
名称 T1220 - XSL 脚本处理 - wmic
Clause Event type = Follow Process and (Process Info - Exec Path contains wmic.exe and Process Info - Command String contains .xsl)
说明 此规则可在 wmic 使用 xsl 脚本时发出警报并进行记录。这可用于启动任意二进制文件。
-
名称 T1223 - 已编译的 HTML 文件
Clause Event type = Follow Process with ancestor Process Info - Exec Path contains hh.exe
说明 此规则可在 hh.exe 创建子进程时发出警报并记录。
-
名称 T1003 - 凭证转储 - Lsass
Clause Event type = Follow Process and Process Info - Exec Path contains procdump.exe and Process Info - Command String contains lsass
说明 此规则可在 procdump.exe 用于转储 lsass 进程的内存时发出警报并记录。
-
名称 T1140 - 对文件或信息进行去混淆处理/解码
Clause Event type = Follow Process and Process Info - Exec Path contains certutil.exe and (Process Info - Command String matches .*encode\s.* or Process Info - Command String matches .*decode\s.*
说明 如果 certutil.exe 用于对文件进行编码或解码,则此规则会发出警报并进行记录。攻击者通常使用此技术来解码受害者计算机上的编码负载。
-
Name T1076 - 远程桌面协议
Clause Event type = Follow Process and Process Info - Exec Path contains tscon.exe
说明 此规则可在执行 tscon.exe 时发出警报并进行记录。攻击者可以使用 tscon.exe 来劫持现有 RDP 会话。
-
名称 T1197 - BITS 作业 - Powershell
Clause Event type = Follow Process and Process Info - Exec Path contains powershell.exe and Process Info - Command String contains Start-BitsTransfer
说明 此规则可在 powershell.exe 被用于运行 cmdlet Start- BitsTransfer 以复制/移动文件时发出警报并进行记录。
-
名称 T1170 - MSHTA
Clause Event type = Follow Process with ancestor Process Info - Exec Path contains mshta.exe
说明 此规则可在使用 mshta.exe 运行生成子进程的恶意 HTA 脚本时发出警报并进行记录。
-
名称 T1158 - 隐藏的文件和目录
Clause Event type = Follow Process and (Process Info - Exec Path contains attrib.exe and Process Info - Command String contains +h)
说明 此规则可在使用 attrib.exe 将文件/目录设置为隐藏时发出警报并记录。
-
姓名 T1114 - 邮件收集
Clause Event type = Follow Process (Process Info - Command String matches .*.(ost|pst)(\s|"|’).* or Process Info - Command String matches .*.(ost|pst)$ ) Process Info - Exec Path doesn’t contain outlook.exe
说明 此规则可在从 Outlook.exe 以外的任何其他进程访问邮件文件(.ost 和 .pst)时发出警报并进行记录。
-
名称 T1070 - 删除主机上的指示器 - 事件日志
Clause Event type = Follow Process and Process Info - Exec Path contains wevtutil.exe and Process Info - Command String matches .*\s(cl|clear-log)\s.*
说明 此规则可在使用 wevtutil.exe 清除事件日志时发出警报并记录。
-
名称 T1070 - 删除主机上的指示器 - USN
Clause Event type = Follow Process and Process Info - Exec Path contains fsutil.exe and Process Info - Command String matches .*\susn\s.* and Process Info - Command String matches .*\sdeletejournal.*
说明 此规则可在使用 fsutil.exe 删除 USN 日志时发出警报并记录。
-
名称 T1053 - 计划任务
Clause Event type = Follow Process and Process Info - Exec Path contains schtasks.exe and Process Info - Command String contains create
说明 此规则可在使用 schtasks.exe 创建新的计划任务时发出警报并记录。
-
名称 T1003 - 凭证转储 - Vaultcmd
Clause Event type = Follow Process and Process Info - Exec Path contains vaultcmd.exe and Process Info - Command String matches .*\/list.*
说明 此规则可在使用 vaultcmd.exe 访问 Windows 凭证保管库时发出警报并记录。
-
名称 T1003 - 凭证转储 - 注册表
Clause Event type = Follow Process and Process Info - Exec Path contains reg.exe and ((Process Info - Command String contains save or Process Info - Command String contains export) and (Process Info - Command String contains hklm or Process Info - Command String contains hkey_local_machine) and (Process Info - Command String contains sam or Process Info - Command String contains security or Process Info - Command String contains system))
说明 此规则可在使用 reg.exe 转储某些注册表配置单元时发出警报并记录。
-
名称 T1201 - 密码策略发现 1
Clause Event type = Follow Process and Process Info - Exec Path contains change and Process Info - Command String contains -l
说明 此规则可在使用更改实用程序列出 Linux 计算机上的密码策略(密码过期策略)时发出警报并进行记录。
-
名称 T1081 - 文件中的凭证 - Linux
Clause Event type = Follow Process and (Process Info - Exec Path contains cat or Process Info - Exec Path contains grep) and (Process Info - Command String contains .bash_history or Process Info - Command String contains .password or Process Info - Command String contains .passwd)
说明 此规则可在尝试搜索存储在 Linux 计算机上的文件中的密码时发出警报并进行记录。
-
名称 T1081 - 文件中的凭证 - Windows
Clause Event type = Follow Process and Process Info - Exec Path contains findstr.exe and Process Info - Command String contains password
说明 此规则可在尝试搜索 Windows 计算机上的文件中存储的密码时发出警报并进行记录。
-
名称 T1089 - 禁用安全工具
Clause Event type = Follow Process and ( (Process Info - Exec Path contains fltmc.exe and Process Info - Command String contains unload sysmon) or (Process Info - Exec Path contains sysmon.exe and Process Info - Command String contains /u) )
说明 此规则可在尝试使用 fltmc.exe 或 sysmon.exe 卸载 sysmon 驱动程序时发出警报并记录